#!/bin/sh

# Create a new self-signed certificate.
# This is a "traditional" CAcert root key using 4096 bit RSA

echo Creating root certificate
openssl req -x509 -out NewTestserverRoot.crt \
  -newkey rsa:4096 -keyform PEM -nodes -keyout NewTestserverRootKey.pem \
  -sha256  -set_serial 0x1 -days 3650 \
  -subj "/C=CH/ST=Geneva/L=Geneva/O=CAcert Inc ***TEST***/OU=Test and Development/CN=CAcert Testserver Root" \
  -config testserver-root.cnf \
  -reqexts testserver_root
# OpenSSL 1.0.1 does not support -addext parameter, therefor a config file is necessary
#  -addext "nsCaPolicyUrl=http://www.CAcert.org/index.php?id=10" \
#  -addext "nsComment=***DO NOT USE THIS IN A PRODUCTION ENVIRONMENT" \
#  -addext "certificatePolicies=http://www.CAcert.org/index.php?id=10" \

cp NewTestserverRoot.crt tempCA/cacert.crt
cp NewTestserverRootKey.pem tempCA/cacert.pem

echo Creating CSR for class3 intermediate certificate
openssl req -out NewTestserverClass3.csr \
  -newkey rsa:4096 -keyform PEM -nodes -keyout NewTestserverClass3Key.pem \
  -subj "/C=CH/ST=Geneva/L=Geneva/O=CAcert Inc ***TEST***/OU=Test and Development/CN=CAcert Testserver Class 3"

openssl ca -config testserver-class3.cnf \
  -in NewTestserverClass3.csr -out NewTestserverClass3.crt \
  -days 3650 -md sha256 -policy policy_anything -extensions class3_root \
  -subj "/C=CH/ST=Geneva/L=Geneva/O=CAcert Inc ***TEST***/OU=Test and Development/CN=CAcert Testserver Class 3"